Two of IBM’s aging flagship server models, retired in 2020, will not be patched for a command-injection flaw.
Two legacy IBM Procedure x server models, retired in 2019, are open to attack and will not acquire security patches, in accordance to components maker Lenovo. Nevertheless, the organization is offering workaround mitigation.
The two products, IBM Procedure x 3550 M3 and IBM Procedure x 3650 M3, are each vulnerable to command injection attacks. The bug lets an adversary to execute arbitrary instructions on possibly server model’s working program by way of a vulnerable application known as Integrated Administration Module (IMM).
IMM is applied for methods-administration features. On the back panel of Process x types, serial and Ethernet connectors use the IMM for machine administration. The flaw, in accordance to a Lenovo advisory posted Tuesday, is in the IMM firmware code and “could enable the execution of working process instructions above an authenticated SSH or Telnet session.”
SSH or Secure Shell is a cryptographic network conversation protocol allowing for two desktops to converse or share facts. Telnet is one more network protocol that makes it possible for distant users to log into a further laptop or computer on the identical network. Telnet, by default, does not encrypt facts sent around its relationship.
The bug, tracked as CVE-2021-3723, was disclosed on Wednesday and bug hunter Denver Abrey is credited for acquiring it.
Eight vulnerabilities in a later on version of IMM – identified as IMM2 – were being identified in June 2020, 3 superior-severity. These bugs were tied to flaws in shopper-aspect code dependable for applying the SSH2 protocol, identified as libssh2.
Both the Program x 3550 M3 and Program x 3650 M3 were introduced April 5, 2011 (PDF) as midsized firms solutions. On June 30, 2015, Lenovo introduced programs ended up both equally discontinued, but would obtain security updates for 5 extra decades.
According to the Lenovo security bulletin, software package and security help for Procedure x 3550 and 3650 finished December 31, 2019.
“Lenovo has traditionally supplied assistance and guidance for at the very least five many years subsequent a product’s withdrawal from marketing. This is issue to adjust at Lenovo’s sole discretion with out recognize. Lenovo will announce a product’s EOS day at minimum 90 times in advance of the true EOS date and in most scenarios longer,” wrote Lenovo.
On Wednesday Lenovo explained it “recommends discontinuation of use” of each servers, but provided a “mitigation strategy”.
“If it is not possible to discontinue use of these programs,” Lenovo suggested:
- Disable SSH and Telnet (This can be carried out in the Security and Network Protocol sections of the navigation pane soon after logging into the IMM web interface)
- Modify the default Administrator password in the course of initial configuration
- Enforce sturdy passwords
- Only grant entry to reliable directors
Lenovo did not reveal if it was informed of any energetic campaigns targeting the vulnerability.
It’s time to evolve danger searching into a pursuit of adversaries. Sign up for Threatpost and Cybersixgill for Danger Hunting to Catch Adversaries, Not Just Prevent Attacks and get a guided tour of the dark web and find out how to track danger actors before their up coming attack. Register NOW for the Reside discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
Some areas of this post are sourced from: